A botnet represents a group of compromised machines that are centrally controlled by a botmaster, who uses the botnet for distributing spam emails or launching denial of service attacks (DDoS) via means of special command and control (C&C) servers. The task of taking down a botnet often represents a “cat and mouse” chase as botnet operators, or botmasters, usually continuously change their C&C servers. More recently, the Tor network has attracted the attention of botmasters, who are particularly interested in the anonymity that Tor can offer to their botnet C&C servers, which can render the process of taking down a botnet even more difficult to accomplish successfully.

Even though Tor renders C&C servers almost entirely anonymous, it exposes the activities of the botnet due to distinct behavioral patterns. A botnet relying on the Tor network can be detectable due to recognizable network traffic and characteristic ports used. Downloading the software can by itself represent a detectable and peculiar act. Moreover, central C&C servers can attract significant communications from all the botnets. Such behavior can undermine the botnet, so the anomaly could be easily detected in the network. This does not imply that the Tor network is not a good choice for building botnets, but botmasters need to develop them while considering Tor’s special infrastructure and its special network vulnerabilities.

Conventional methods, including traffic signatures and Domain Name System (DNS), cannot be used to identify infected botnets, namely because connections across the Tor network are encrypted. A recently published research paper introduced an innovative mechanism, named TorBot Stalker, for the detection, deanonymization, and destruction of botnets developed using the Tor network.

Design and efficiency of TorBot Stalker:

TorBot Stalker makes use of machine learning to analyze and fingerprint the exact timings and frequencies of circuit data of the Tor network throughout the process of the routing of botnet network traffic in order to construct a detection mechanism capable of identification of infected botnet hosts at the Tor network border. TorBot Stalker is designed to identify infected machines in real-time without compromising the privacy and anonymity of honest Tor users.

TorBot Stalker can be deployed onto any relay node across the Tor network and can delineate the difference between Tor botnets and honest applications such as Internet Relay Chat (IRC) originating from the same host. Data derived from experiments involving TorBot Stalker has demonstrated an accuracy of around 99% with very few false positive results. The mechanism is then applied onto the entry relay nodes of the Tor network in order to quantitatively estimate the fraction of network traffic associated with botnet activities. Experimental studies have proven that TorBot Stalker is able to efficiently deanonymize real botnets across the Tor network and further detect infected botnet hosts as well as their command and control servers.

TorBot Stalker has been also found to be able to identify botnets that utilize entry guard rotation in association with the Tor protocol. The mechanism exposes a diverse group of vulnerabilities associated with the Tor protocol including denial of the hidden service, identification of entry guards, harvesting of descriptors of hidden services, and other serious problems associated with Tor implementation of the botnet’s command and control server. On the other hand, centralized forms of Tor based botnets can be more easily identified by TorBot Stalker.

Final thoughts:

Botmasters are continuously fighting law enforcement agencies and researchers to prolong the longevity of their botnets and attempt to achieve this via designing botnets that can resist detection via presently available means. That’s why they have recently being using the Tor network to promote anonymity of their botnets’ command and control servers. TorBot Stalker has proven to be an effective tool for detecting Tor based botnets. This novel tool has shown that command and control servers hosted on the Tor network can be vulnerable to attack forms such as crawling and sinkholing. Future studies are needed to identify whether or not TorBot Stalker can still be effective in case the botnet master is capable of infecting peculiar relay nodes or a significant proportion of relay nodes across the Tor network.